Method for modifying a configuration and industrial plant system

ABSTRACT

In order to enable a seamless configuration modification during operation, a first automation device sends a second automation device a request for parameter modification. The second automation device responds to the request, such that a standby acknowledgement of the request is sent. Immediately with the transmission of the standby acknowledgement in the second automation device, an output process image is frozen, and the modification of the communication parameters for the second automation device is carried out. The first automation device responds, such that after receiving the standby acknowledgement in the first automation device, the communication is immediately stopped and the modification of the communication parameters is carried out for the first automation device. An input process image is frozen.

This application claims the benefit of EP 18183956.4, filed on Jul. 17,2018, which is hereby incorporated by reference in its entirety.

BACKGROUND

The present embodiments relate to modifying a configuration ofcommunication parameters in a communication link designed for functionalsafety between a first automation device and a second automation device.

The present embodiments relate to the technical field of functionallysafe communication, which, inter alia, is used in the communicationbetween field devices, control components, and similar facilities inindustrial process automation or in manufacturing automation. Such afunctionally safe communication is also referred to as F-communicationand is used, for example, in safety-related applications (e.g., iferrors in communication may lead to endangering persons or property).

With such a functionally safe communication link, for example, duringoperation of an industrial plant, an uninterruptible plant operationalso plays a decisive role in modifying a configuration on devices andnetworks or when adding, removing, or exchanging devices or individualmodules.

Configuration modifications during operation, also known as “changeparameter in run” measures (PiR), are to be carried out seamlessly andare not to affect communication in the network. A continuous productionoperation may thus be provided without a plant shutdown.

The European patent EP 2 814 193 B1 entitled “Method and system foridentifying faults in the transmission of data from a transmitter to atleast one receiver” concerns functionally safe communication; a solutionfor a seamless reparameterization in a functionally safe connection isnot shown in EP 2 814 193 B1, however.

SUMMARY AND DESCRIPTION

The scope of the present invention is defined solely by the appendedclaims and is not affected to any degree by the statements within thissummary.

The present embodiments may obviate one or more of the drawbacks orlimitations in the related art. For example, a reparameterization or aconfiguration modification of communication parameters is enabled in acommunication link configured for functional safety during operation asfar as possible without an interruption or changeover collision for theplant process.

In one or more of the present embodiments, a first automation devicesends a request for a parameter modification to a second automationdevice. The second automation device responds to the request such that astandby acknowledgment of the request is sent. In the process, an outputprocess image is immediately frozen with a transmission of a standbyacknowledgment in the second automation device. As a result of this, theprocess output data finally output to the second automation device iskept at a last value, and the modification of the communicationparameters for the second automation device is carried out. Further, thefirst automation device responds such that after receiving the standbyacknowledgment in the first automation device, the communication isimmediately stopped, and the modification of the communicationparameters is carried out for the first automation device. An inputprocess image is frozen. As a result of this, the process input datafinally present on the first automation device is kept at a last value.When the modification of the communication parameters in the firstautomation device is concluded, this restarts the communication andsends new process output data as an output process image to the secondautomation device. As a result of this, the process output data outputfinally on the second automation device is replaced by updated processoutput data.

A Profisafe protocol for a Profinet link is used for the safety protocolwithin one or more of the present embodiments, for example. Thefunctionally safe protocol Profisafe may then be implemented in thetransmit-receive applications and in the device drivers.

The quickest possible implementation of a two-sided reparameterizationand a restart of a functionally safe communication stack isadvantageously achieved. In the first automation device, thereparameterization is started immediately, as soon as the firstautomation device has identified an acknowledgment of a “parametermodification” request. The second automation device likewise begins withthe reparameterization immediately if the second automation device hasgenerated the acknowledgment “parameter modification”, although thesecond automation device does not yet know when the first automationdevice detects or receives this acknowledgment. In the process, thesecond automation device leaves a process image unmodified until thefirst automaton device sends new process output data as an outputprocess image to the second automation device.

In a further embodiment of the method, the transmission of the standbyacknowledgment starts a first timer with a first runtime in the secondtransmit-receive application. The first timer is used to monitorwhether, within the first runtime, the communication has been restartedagain by the automation device. As a result, new process output data hasbeen sent as a new output process image to the second automation device.If this is the case, then the second automation device responds with aready acknowledgment and stops the first timer. The time monitoring inthe first timer is used as a watchdog, and if the ready acknowledgmentdoes not arrive at the first runtime of the first timer, an error isproduced and safe replacement values are provided, for example, or asafe state is assumed.

In order to further improve safety, following receipt of theready-acknowledgment in the first automation device, a second timer witha second runtime is started in the first transmit-receive application,and the second timer is used to monitor whether the ready acknowledgmenthas been received within the second runtime. The time monitoring alsoserves as a watchdog function, and if the timer elapses before the readyacknowledgment occurs, an error response is generated and/or replacementvalues are provided.

In one embodiment, the ready acknowledgment simultaneously includes newprocess input data as the new input process image for the firstautomation device.

A significant advantage is considered to be that the method is used tocarry out the configuration modifications in an industrial plant systemfor controlling the safety-critical process according to the afore-citedsolution features, where as a result, an uninterruptible plant operationis enabled during the configuration modification.

A further measure that increases the communication safety is consideredto be that, after the restart of the communication in addition to thesent new process output data, a signature is formed via the newcommunication parameters. This signature is additionally sent to thesecond automation device, and in the second automation device, the sentsignature is compared with a signature formed in the second automationdevice via the new communication parameters. If the comparison ispositive, then the process image is modified; if the comparison isnegative, a safety action is introduced (e.g., on the other hand, if itremains thus or a safety action is introduced because, on account of amodified signature, a transmission error has possibly been identified).

In one or more of the present embodiments, an industrial plant systemincludes the first automation device embodied to obtain a request forparameter modification from the configuration system and send therequest to the second automation device for parameter modificationpurposes. In the process, the second automation device is embodied torespond to the request such that a standby acknowledgment of the requestis sent. Further, the second automation device is embodied toimmediately freeze an output process image at the time instant oftransmitting the standby acknowledgment. As a result of this, theprocess output data output finally to the second automation device iskept at a last value in order to trigger the modification of thecommunication parameters for the second automation device. Further, thefirst automation device is embodied, after receiving the standbyacknowledgment in the first automation device, to immediately halt thecommunication and to carry out the modification of the communicationparameters for the first automation device. The first automation deviceis further embodied to freeze a first input process image. As a resultof this, the process input data finally present on the first automationdevice is kept at a value. Further, after concluding the modification ofthe communication parameters in the first automation device, the firstautomation device is embodied to reestablish the communication and tosend new output data as an output process image to the second automationdevice.

An engineering system (e.g., an engineering system from the companySiemens AG with the name “TIA Portal”) is used, for example, as theconfiguration system. Functionally safe modules may be parameterized andconfigured using this engineering system. For example, F parameters,such as an F monitoring time, an F target address, a behavior accordingto channel errors, or an F-peripheral DB number, are parameterized orset, for example, in the region of the communication parameters.

An advantage is considered to be that during operation of a plant, aparameterization may take place, and a seamless reparameterization ofthe communication link is thus enabled. The processing of the parametermodification in the two automation devices plays a significant role. Inaccordance with one or more of the present embodiments, this processingmay begin significantly earlier than is known in the prior art. Further,a software-related implementation of the new method is easier than inthe prior art.

In one or more of the present embodiments, the plant system is embodiedsuch that the second transmit-receive application has a first timer andis embodied at the time instant of transmitting the standbyacknowledgment to start the first timer and to monitor whether thecommunication has been restarted by the first automation device within afirst runtime.

The first transmit-receive application has a second timer, and isembodied, at the time instant of receiving the standby acknowledgment,to start the second timer and to monitor whether a ready acknowledgmentis received within a second runtime. The first automation device or thefirst transmit-receive application is also embodied, after the restartof the communication, in addition to the sent new process output data,to form a signature via the new communication parameters. This signatureis additionally sent to the second automation device. In the secondautomation device, the sent signature is compared with a secondsignature formed in the second automation device via the newcommunication parameters. Accordingly, the second transmit-receiveapplication is embodied for this comparison, and on account of theknowledge of the new communication parameters and the formation of asecond signature, may generate an expectation with respect to the newparameters. Should the expectation not match, an error response isgenerated.

BRIEF DESCRIPTION OF THE DRAWINGS

According to the drawing, an exemplary embodiment of the invention ispresented, in which:

FIG. 1 shows a process flow for communication modification ofcommunication parameters according to the prior art;

FIG. 2 shows a process flow according to an embodiment;

FIG. 3 shows a first automation device and a second automation devicewith a connected configuration system according to an embodiment;

FIG. 4 shows an exemplary sequence flow for introducing a configurationmodification during operation; and

FIGS. 5A-5B show an exemplary sequence flow for configurationmodification during operation with detailed acknowledgment events.

DETAILED DESCRIPTION

According to FIG. 1, a main process flow is shown for a configurationmodification between a first automation device A and a second automationdevice B according to the prior art. A first knowledge level K1, asecond knowledge level K2, a third knowledge level K3, and a fourthknowledge level K4 are shown with dashed lines. In the first knowledgelevel K1, the first automation device A knows that a message has beensent and that the first automation device A wants to reparameterize. Inthe second knowledge level K2, the second automation device B knows thatthe first automation device A intends to reparameterize. In the thirdknowledge level K3, the first automation device A knows that the secondautomation device B has received the message that the first automationdevice A wants to reparameterize. In the fourth knowledge level K4, thesecond automation device B knows that the first automation device Aknows that the second automation device B has received the message thatthe first automation device A wants to reparameterize.

The first automation device A sends a request 31 for parametermodification to the second automation device B. The second automationdevice B responds thereto with the transmission of a standbyacknowledgement 32. The first automation device A sends anacknowledgment 33, and after receiving the acknowledgment 33 in theautomation device A, the action start of the reparameterization SU iscarried out. A waiting time WZ is started in the first automation deviceA with the transmission of the acknowledgment 33. After the waiting timeWZ has elapsed, a new connection set-up 34 is carried out between thefirst automation device A and the second automation device B. A previousreparameterization time t_(old) runs from the transmission of therequest 31 to the receiving of the new connection set-up 34 and is toolong for the desired seamless reparameterization during plant operation.

According to FIG. 2, it is now shown that according to one or more ofthe present embodiments, the previous reparameterization time t_(old)may be converted into an improved, new shortened reparameterization timet_(new). The previous fixedly set waiting time WZ (see FIG. 1) is nowobsolete. With the method for modifying configurations of communicationparameters KP1 in a communication link 1, 1′ configured for functionalsafety (see FIG. 3) between the first automation device A and the secondautomation device B, the first automation device A sends a request 31for parameter modification to the second automation device B, and thesecond automation device B responds to the request 31 with a standbyacknowledgment 32.

An output process image is frozen immediately with the transmission ofthe standby acknowledge 32 in the second automation device B. As aresult of this, the process output data OV finally output on the secondautomation device B is kept at a last value. The modification of thecommunication parameters from the first communication parameters KP1 tothe second communication parameters KP2 is now carried out for thesecond automation device B. The first automation device A now begins,after receiving the standby acknowledgement 32 in the first automationdevice A, to immediately halt the communication and to carry out themodification of the communication parameters KP2 for the firstautomation device A. In this case, an input process image is likewisefrozen in the first automation device A. As a result of this, theprocess input data IV finally present on the first automation device Ais kept at a last value. If the modification of the communicationparameters from KP1 to KP2 is concluded in the first automation deviceA, this reestablishes the communication. A new connection set-up 34 isestablished. New process output data OV is sent as an output processimage to the second automation device B. As a result of this, theprocess output data OV output finally on the second automation device Bis replaced by updated process output data OV. A comparison between FIG.1 and FIG. 2 with the times for the reparameterization is produced inthat the shortened reparameterization t_(new) now requires less timethan the previous reparameterization time t_(old). As a result of this,a reparameterization in runtime may take place seamlessly.

By adding watchdog functionalities in the form of a first timer WD1 anda second timer WD2, the functional safety is further increased. With thetransmission of the standby acknowledgment 32, a first timer WD1 with afirst runtime T1 is started in the second transmit-receive applicationSEA2, and the first timer WD1 is used to monitor whether thecommunication by the first automation device A has been restarted withinthe first runtime T1. As a result, new process output data OV has beensent as a new output process image to the second automation device B. IIf this is the case, the second automation device B then responds with aready acknowledgment 35 and stops the first timer WD1.

After receiving the standby acknowledgment 32 in the first automationdevice A, a second timer WD2 is started with a second runtime T2 in thefirst transmit-receive application SEA1, and the second timer WD2 isused to monitor whether the standby acknowledgment 35 has been receivedwithin the second runtime T2.

After the restart of the communication link 34, in addition to the sentnew process output data OV, a signature CRC is formed via the newcommunication parameters, KP2 and this signature CRC is additionallysent to the second automation device B. In the second automation deviceB, the sent signature CRC is compared with a second signature CRC′formed in the second automation device B by way of the new communicationparameters KP2. If the comparison is positive, then the process image ismodified; if the comparison is negative, a safety action is introducedor safe replacement values are provided, because an error has beenidentified.

As a result of the communication parameters KP2 to be modified havingalready been communicated to the second automation device B in advance,a second signature CRC′ may likewise form per se by way of the secondcommunication parameters KP2, so that an expectation has in effect beengenerated; when this does not correspond to the sent signature CRC ofthe second communication parameters KP2 from the first automation deviceA, an error must have occurred.

According to FIG. 3, an overview is shown in the form of a blockdiagram. Via a configuration system 2, communication parameters may beexchanged during operation. The configuration system 2 is connected tothe first automation device A and sends a request (see also FIG. 4) forparameter modification to the first automation device A. The firstautomation device A and the second automation device B are connected toone another via a field bus 3.

The first automation device A has a first transmit-receive applicationSEA1 and a first device driver G1. The second automation device B has asecond transmit-receive application SEA2 and a second device driver G2.The configuration system 2 connected to the first automation device A isembodied to configure the respective transmit-receive applications SEA1,SEA2 and the respective device drivers G1, G2 with a first set ofconfiguration parameters KP1 and for a modification to configure therespective transmit-receive applications SEA1, SEA2 and the respectivedevice drivers G1, G2 with a second set of configuration parameters KP2.

The first automation device A is embodied to obtain a request 31 forparameter modification from the configuration system 2, and to send thisto the second automation device B for parameter modification purposes.The second automation device B is embodied to respond to the request 31such that a standby acknowledgment 32 of the request 31 is sent.

For reparameterization, the second automation device B is embodied toimmediately freeze an output process image at the point in time oftransmitting the ready acknowledgment 32′. As a result of this, theprocess output data OV finally output on the second automation device Bis kept at a last value. The configuration parameters are now modifiedfrom KP1 to KP2.

The first automation device A is embodied, after receiving the standbyacknowledgment 32 or 32′ in the first automation device A, toimmediately halt the communication and to trigger the modification inthe communication parameters from KP1 to KP2. In this case, the inputprocess image is frozen. As a result of this, the process input data IVfinally present at the first automation device A is kept at a lastvalue. After the modification in the communication parameters KP2 in thefirst automation device A has concluded, the communication is restarted,and new process output data OV is sent to the second automation deviceB. For a watchdog functionality, the first automation device A has asecond timer WD2, and the second automation device B has a first timerWD1.

With FIG. 4, a flow sequence of telegrams and requests between the firstautomation device A and the second automation device B is illustratedfor a configuration modification during operation or for a parametermodification in runtime (PiR). A user 4 triggers a start of a parametermodification via the configuration system 2 with the command Start_PiR2.0. Thereupon, new F parameters are sent to the first automation deviceA and to the first transmit-receive application SEA1, send_new F-Par 2.1send_new F-Par 2.2. The first automation device A now knows that thefirst automation device A should be reparameterized and sends a commandPrmBegin (for this submodul) 2.3 to the second automation device B(e.g., to the second receive application SEA2). A new data set is alsosent Write_Record (e.g., one or more records) 2.4, and then, the commandPrmEnd 2.5 is established.

The second automation device B or the second transmit-receiveapplication SEA2 then responds with the knowledge New_F-Par 2.6 andsends a command Application_Ready (for this submodul) 2.7 back to thefirst automation device A. The first automation device A sends a commandPRM_Update accepted 2.8 to the configuration system 2. This may nowtrigger the actual start PiR 3.0 of the reparameterization. The processof reparameterization start PiR 3.0 is explained in detail with FIG. 5.

FIG. 5 shows how the reparameterization after the start command StartPIR 3.0 proceeds using the configuration system 2.

The first automation device A is shown with a dashed line and shows thecombination of the first transmit-receive application SEA1 and the firstdevice driver G1. The second automation device A is likewise shown witha dashed line and shows the second transmit-receive application SEA1 andthe second device driver G2. The first automation device A and the firsttransmit-receive application SEA1 now receive the start command for thereparameterization start PiR 3.0 and thus respond internally with aresponse start PiR 3.1, whereupon the command iPar_EN_C=1 3.2 is sent.This provides that a parameter modification is now enabled. This isforwarded again by the first device driver G1 by the command iPar_EN=13.1, and the ability or command for enabling the parameter modificationis forwarded to the second device driver G2 of the second automationdevice B. The second device driver G2 internally informs the secondtransmit-receive application SEA2 about the parameter modification withthe command iPAR_EN_DS=1 3.4. Now, the second transmit-receiveapplication SEA2 triggers the freezing of the process output values OVwith the command Hold_LOV Start WD-PiR 3.5. The second transmit-receiveapplication acknowledges this with iPar_OK_DC=1 3.6. The start WD-PiRcommand starts the first timer WD1.

The second transmit-receive application SEA2 responds with anacknowledgment of the possibility of reparameterization iPar_EN_DE=1with iPar_OK_DC=1 3.6. The second automation device B now stays in awaiting state Wait for iPar_EN_DS=0 3.7.

The second device driver G2 sends an iPar_OK=1 3.8 to the first devicedriver G1. The first device driver G1 thereupon responds with a transmitcommand to the first transmit-receive application SEA1 and sends thisiPar=OK_S=1 3.9. From here on, the process input values IV are startedwith the command Hold Load Input-Value (LIV) or use FV and start WD-PiR3.10. The second timer W2 is now started for the monitoring timeexplained with FIG. 2.

With a command Stop PSD, the Profisafe driver PSD is stopped and theProfisafe communication is therefore likewise stopped. The Profisafedriver is also stopped on the side of the second automation device Bwith the command Stop PSD 4.1 and also on the side in the second devicedriver G2. The check for new parameters and the use of the newparameters with the command Check and use new iPar 4.2 may now becarried out on the side of the second automation device B. The newconfiguration parameters are likewise used on the side of the firstautomation device A with the command Use new F-Pair 4.3. On both sides(e.g., on the side of the first automation device A and on the side ofthe second automation device B), the respective Profisafe driver may nowbe restarted. This takes place on the side of the second automationdevice B with the command Restart PSD, iParOK_DE=0 4.5 and on the sideof the first automation device A with the command Restart PSD,iPar_EN_C=0 4.6.

Then, starting from the side of the first automation device A, aconnection restart is carried out with the command Restart PROFIsafecomm 5.0. The side of the second automation device B responds with acyclical Profisafe Communication Cyclic PROFIsafe comm 5.1. In the eventthat replacement values (e.g., error values FV) have been used, thesenow are reset with the command FV_activated=0. This takes place with 5.6on the side of the second automation device B and with 5.7 on the sideof the first automation device A. The new values in the cyclicalcommunication are then integrated again with the command End Hold_LV useInput-Value stop WD-PiR 5.9, and the notification New F-Parameterinstalled 5.10 is then given to the user 4 via the configuration system2. The reparameterization in runtime is thus ended with PiR finished5.11.

In FIG. 4 and FIG. 5, the reparameterization is carried out seamlesslybetween the cyclical communication, as above, for example, in FIG. 4,with 1.0, 1.2 and 1.1.

The elements and features recited in the appended claims may be combinedin different ways to produce new claims that likewise fall within thescope of the present invention. Thus, whereas the dependent claimsappended below depend from only a single independent or dependent claim,it is to be understood that these dependent claims may, alternatively,be made to depend in the alternative from any preceding or followingclaim, whether independent or dependent. Such new combinations are to beunderstood as forming a part of the present specification.

While the present invention has been described above by reference tovarious embodiments, it should be understood that many changes andmodifications can be made to the described embodiments. It is thereforeintended that the foregoing description be regarded as illustrativerather than limiting, and that it be understood that all equivalentsand/or combinations of embodiments are intended to be included in thisdescription.

The invention claimed is:
 1. A method for configuration modifications ofcommunication parameters in a communication link configured forfunctional safety between a first automation device and a secondautomation device, the method comprising: exchanging data from the firstautomation device to the second automation device and from the secondautomation device to the first automation device using a safetyprotocol; using the data as process output data or as process input datafor a safety-critical process; running a first transmit-receiveapplication on the first automation device, such that the firsttransmit-receive application, together with a first device driver,carries out a communication; running a second transmit-receiveapplication on the second automation device, such that the secondtransmit-receive application, together with a second device driver,carries out the communication, wherein the first transmit-receiveapplication and the second transmit-receive application, and the firstdevice driver and the second device driver operate before a modificationwith a first set of communication parameters and after a modificationwith a second set of communication parameters; sending, by the firstautomation device, a request for parameter modification to the secondautomation device; responding, by the second automation device, to therequest such that a standby acknowledgment of the request is sent,wherein an output process image is frozen, such that the process outputdata finally output on the second automation device is kept at a lastvalue as a result of the output process image being frozen; carrying outthe modification of the communication parameters for the secondautomation device; responding, by the first automation device, such thatafter receiving the standby acknowledgement in the first automationdevice, the communication is immediately stopped and the modification tothe communication parameters is carried out for the first automationdevice, wherein an input process image is frozen, such that the processinput data finally present at the first automation device is kept at alast value; and restarting the communication when the modification ofthe communication parameters in the first automation device is concludedand sending new process output data as the output process image to thesecond automation device, wherein as a result of the sending of the newprocess output data as the output process image, the process output datafinally output on the second automation device is replaced by updatedprocess output data.
 2. The method of claim 1, wherein the outputprocess image is frozen and the modification of the communicationparameters for the second automation device is carried out immediatelywith the transmission of the standby acknowledgment in the secondautomation device.
 3. The method of claim 1, wherein with thetransmission of the standby acknowledgement, a first timer with a firstruntime is started in the second transmit-receive application, and thefirst timer is used to monitor whether the communication has beenrestarted by the first automation device within the first runtime and asa result new process output data has been sent as a new output processimage to the second automation device and if this is the case, thesecond automation device then responds with a ready acknowledgement andstops the first timer.
 4. The method of claim 1, wherein after receivingthe standby acknowledgement in the first automation device, a secondtimer with a second runtime is started in the first transmit-receiveapplication and the second timer is used to monitor whether the readyacknowledgement has been received within the second runtime.
 5. Themethod of claim 4, wherein the ready acknowledgement comprises newprocess input data as a new input process image for the first automationdevice.
 6. The method of claim 1, wherein the configurationmodifications are configuration modifications in an industrial plantsystem for controlling a safety-critical process, and wherein as aresult of the method, an uninterruptible plant operation is enabledduring the configuration modifications.
 7. The method of claim 1,further comprising: forming a signature via the new communicationparameters in addition to the sent new process output data after therestarting of the communication; sending the signature to the secondautomation device; and comparing, in the second automation device, thesent signature with a signature formed in the second automation devicevia the new communication parameters.
 8. The plant system of claim 7,wherein the second transmit-receive application has a first timer and isconfigured, at a time instant of transmission of the standbyacknowledgement, to start the first timer and monitor whether thecommunication has been restarted by the first automation device within afirst runtime.
 9. An industrial plant system for controlling asafety-critical process, the industrial plant system comprising: a firstautomation device and a second automaton device that are connected toone another via a fieldbus, wherein the first automation device includesa first transmit-receive application and a first device driver, and thesecond automation device includes a second transmit-receive applicationand a second device driver; a configuration system configured to:configure the first transmit-receive application and the secondtransmit-receive application, and the first device driver and the seconddevice driver with a first set of communication parameters; and for amodification, configure the first transmit-receive application and thesecond transmit-receive application, and the first device driver and thesecond device driver with a second set of communication parameters,wherein the first automation device is configured to: obtain a requestfor a parameter modification from the configuration system; and send therequest for the parameter modification to the second automation devicefor parameter modification purposes, wherein the second automationdevice is configured to: respond to the request, such that a standbyacknowledgment of the request is sent; and immediately at a time instantof transmission of the standby acknowledgement: freeze an output processimage, wherein the process output data finally output on the secondautomation device is kept at a last value as a result of the freeze ofthe output process image; and trigger the modification of thecommunication parameters for the second automation device, and whereinthe first automation device is configured to: immediately stop thecommunication after receipt of the standby acknowledgment in the firstautomation device; carry out the modification of the communicationparameters for the first automation device; and freeze an input processimage, wherein the process input data finally present on the firstautomation device is kept at a last value as a result of the freeze ofthe input process image, wherein after modification of the communicationparameters in the first automation device has concluded, thecommunication is restartable, and new process output data is sendable asan output process image to the second automation device.
 10. The plantsystem of claim 9, wherein the first transmit-receive application has asecond timer and is configured, at a time instant of receipt of thestandby acknowledgement, to start the second timer and monitor whether aready acknowledgement is received within a second runtime.
 11. The plantsystem of claim 9, wherein the first automation device and the firsttransmit-receive application are configured to form a signature via thenew communication parameters after the restart of the communication inaddition to the sent new process output data, and send the signature tothe second automation device, wherein the second automation device isconfigured to compare the sent signature with a second signature formedin the second automation device via the new communication parameters,and wherein the second transmit-receive application is configured forthe comparison and, on account of knowledge of the new communicationparameters and the formation of a second signature, generate anexpectation with respect to the new communication parameters, and whenthe expectation does not match, is configured to produce an errorresponse, provide replacement values, or produce the error response andprovide the replacement values.